If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Hello Guest,Our records indicate that you have never posted to our site before! Why not make your first post today by saying hello to our community in our Introductions forum.

Please review the forums rules, start with your first post today and become an active part of petri.co.il forums now!

Comment

The problem you have with the proposed solution is that you add another potential point of failure by moving the TS farm from the same site as the clients. In which case you'll have to think about a redundant link to the datacentre.

The AD authentication would normally be on the DC located on the same site as the TS (providing AD sites are configured, otherwise it'll be the first available DC)
When logging to a TS, the authentication requests are forwarded by the terminal server as above.
Your current setup is more resilient in a way because the WAN failure won't affect TS availability and if the DC in the branch office was to fail as well as the WAN link, you could still use the TS with cached credentials.

Comment

Perhaps I should give more information. (I appologize I did not already)

I have 10 people in the office that use the Citrix system (via thin clients / win xp over http) and 40 people who come in from the outside (http).

80% of my users are outside my current building and it seems I have the choice of beefing up my system (backup internet, backup generator power, SAN instead of local storage for HA) or I could move to a datacenter who provides this as part of the monthly leasing.

Exchange:
Most people use Citrix or OWA, but I several who just use Outlook and network shares.

Printers:
Thin Clients: I need to map several network printers and I fear the traffic will have to go through the vpn to be printed at my local office.
If I seperate the network but I don't see how the thin clients will be able to print locally inside my office (They run HP Thin Pro)

Comment

Since most of your users seem to be accessing the datacenter directly, you'll probably want two DCs there. If for no other reason, just for redundancy's sake.

I'm not familiar with Citrix, does it create a tunnel to your terminal servers for you? I'm curious because do external users need to VPN in first, and then authenticate again to AD? Or is it all integrated somehow? To answer your question regarding which DC your users will authenticate against, you can configure your DNS to give priority to one DC or another. If you have multiple DNS servers (a local DNS server for the office workers, for example) you can have finer control over which DC does authentication for which users.

One thing to consider for your VPN, for future expansibility, is to leverage something like DMVPN. The main advantage being traffic between sites flow directly to each other, as opposed to through the head-end first. So if you plan to open another office at some point, the configuration change would be minor.

Or if you have a lot of remote workers who need to VPN in from non-work machines, SSLVPN might be your pick; a truly skinny client. But your choice would affect what type of hardware you buy, typically ISR routers perform better with IPSec/DMVPN/EZVPN, whereas ASAs perform better with SSLVPN. Though this may have changed since the last time I checked.

Comment

I can't dump citrix at the moment, It would require me to update to Windows 2008, update licenses, etc, etc.

I plan to do local backups at each site and copy the backup over the wan during off hours. Luckily my applicaiton is only in use between 8am and 6pm my local time, which gives alot of room for system changes, backups, and wan usage.